rpmsg: validate incoming message length before propagating
Ohad Ben-Cohen [Tue, 28 Feb 2012 14:16:48 +0000 (16:16 +0200)]
When an inbound message arrives, validate its reported length before
propagating it, otherwise buggy (or malicious) remote processors might
trick us into accessing memory which we really shouldn't.

Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
Cc: Grant Likely <grant.likely@secretlab.ca>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Mark Grosen <mgrosen@ti.com>
Cc: Suman Anna <s-anna@ti.com>
Cc: Fernando Guzman Lugo <fernando.lugo@ti.com>
Cc: Rob Clark <rob@ti.com>
Cc: Ludovic BARRE <ludovic.barre@stericsson.com>
Cc: Loic PALLARDY <loic.pallardy@stericsson.com>
Cc: Omar Ramirez Luna <omar.luna@linaro.org>

drivers/rpmsg/virtio_rpmsg_bus.c

index 4db9cf8..1e8b8b6 100644 (file)
@@ -778,6 +778,16 @@ static void rpmsg_recv_done(struct virtqueue *rvq)
        print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1,
                                        msg, sizeof(*msg) + msg->len, true);
 
+       /*
+        * We currently use fixed-sized buffers, so trivially sanitize
+        * the reported payload length.
+        */
+       if (len > RPMSG_BUF_SIZE ||
+               msg->len > (len - sizeof(struct rpmsg_hdr))) {
+               dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len);
+               return;
+       }
+
        /* use the dst addr to fetch the callback of the appropriate user */
        mutex_lock(&vrp->endpoints_lock);
        ept = idr_find(&vrp->endpoints, msg->dst);